From owner-freebsd-ports@freebsd.org Tue Aug 23 20:39:33 2016 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8C9C4BC40FB for ; Tue, 23 Aug 2016 20:39:33 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 69E461C89 for ; Tue, 23 Aug 2016 20:39:33 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 65AD6BC40FA; Tue, 23 Aug 2016 20:39:33 +0000 (UTC) Delivered-To: ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 654A1BC40F9 for ; Tue, 23 Aug 2016 20:39:33 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2D5F51C88 for ; Tue, 23 Aug 2016 20:39:33 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mail-it0-x234.google.com with SMTP id x131so171131284ite.0 for ; Tue, 23 Aug 2016 13:39:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=w1dQzDAgJGcwsRYQYYCf4QV4ZK5h0fxwa+vhCwHvI2w=; b=rTMbqsUw0cPesETsW6NsJH+AkCWj0Z/ovr3iri1kNBduGFfaP6qUTFk9X5tmukYKiu Lm+c706K1oT7phG1r79kLqevhHcUmaTFJzkBUr1Y3kPp4eXt9+ixutZNh6rswz788SV3 6FfdmxYoYEhnXutfr3JzoOjenukew5b/RQmYlXS68f6ghwrrwjuKdb3VcRODcXu5VcHD LNSf1DuGd8gF12qLkXt0e3DW9Sc3QrVoNsT1IJo5dDCwlUI+7iZY8IrAPtBem+TW4GG2 H4Lb66/gqQo3ZBkpXxdRjOV+4bRnlAG4Pz+p9fad7QQZLLoIQYg5339I8GS6Zb4m5z6e aA3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to; bh=w1dQzDAgJGcwsRYQYYCf4QV4ZK5h0fxwa+vhCwHvI2w=; b=hH+OeZ0BjZv+P4OfcsTlzS8/yABDgTBASWxPA0BmdgQu1ig3FvOn/WlJMrbU4ihcrH oXBCO/Fbxi6CcHvDNETuAEvwMwq0/kDF9o5eDAVITC4Axrb3UUHHc30b+nhW7JRLmSo1 CNeYtXVscIrkQFIdq20q6sM1rNOzj45lKqqxyt8rszdgkx/BOxLKLh8tPOSluudISmdn ynzXxibfH7JngrG4O0xs9xacnSeD481bnvMH22apNT8PwhLHkg/ttA/ZD6SANFsMv6fc Qba63redqh+Fto+MNQsqDcehggaGhKsY/5I4pV//l32++4SLQcOd6n4ebTS4sN/LaHS0 TtWg== X-Gm-Message-State: AEkoousS9383JzYv+59kWzRTx+aDd0Z14A61FmxdTZXYv9yVaNQtkOwhe8OHfY08JAH9im69nfcbCcpGAdfqDw== X-Received: by 10.36.65.198 with SMTP id b67mr27169334itd.53.1471984772613; Tue, 23 Aug 2016 13:39:32 -0700 (PDT) MIME-Version: 1.0 Sender: kob6558@gmail.com Received: by 10.79.119.144 with HTTP; Tue, 23 Aug 2016 13:39:32 -0700 (PDT) In-Reply-To: <20160823195434.GB98827@xtaz.uk> References: <6d35459045985929d061f3c6cca85efe@imap.brnrd.eu> <0E328A9485C47045F93C19AB@atuin.in.mat.cc> <20160823124201.GB48814@xtaz.uk> <20160823195434.GB98827@xtaz.uk> From: Kevin Oberman Date: Tue, 23 Aug 2016 13:39:32 -0700 X-Google-Sender-Auth: dCDuerL8Ieg-rlIEsE3WeKQOfyg Message-ID: Subject: Re: Upcoming OpenSSL 1.1.0 release To: Matt Smith , Roger Marquis , "ports@FreeBSD.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2016 20:39:33 -0000 On Tue, Aug 23, 2016 at 12:54 PM, Matt Smith via freebsd-ports < freebsd-ports@freebsd.org> wrote: > On Aug 23 12:19, Roger Marquis wrote: > >> Matt Smith wrote: >> >>> Going slightly off-topic, I'm curious what the opinion is around this >>> and LibreSSL. >>> >> >> My organization evaluated this a few months ago and after a few diffs >> and code reviews decided that libressl was the future. We updated >> poudriere and all make.confs, removed openssl, installed libressl and >> have had no issues. We did the same with openntp a few months earlier >> and recommend both for any installation that needs good security. >> >> Roger >> > > I have been running libressl-devel for the past few months and other than > having to manually patch a few ports to get them to compile have also had > no problems. However this was the case a few months ago. My questioning is > specifically related to the upcoming OpenSSL 1.1 which in theory has had a > lot of work done to it by a full-time paid team of developers. In fact it > was meant to be released back in May but was delayed specifically so that > they could squash all remaining bugs. It would be interesting if somebody > could audit the changes to see how it compares to LibreSSL after it's > released. There is a possibility that it may actually be the better path > going forward. > > > -- > Matt > I think OpenSSL is the way to go at this time. I have great faith in the skills of the people who work on LibreSSL, but they are very, very conservative on things like new algorithms and will likely lag behind OpenSSL for this reason. This will mean incompatibilities with some new applications which will force the use of OpenSSL. Then you get into ugly issues with multiple shareable libraries that will create conflicts that, in Windows-land are referred to as "DLL hell". Having spent too much time there, once as a result of a mix of tools build with the base system OpenSSL and and ports OpenSSL. Also, even now (or last I looked) there are API incompatibilities between the two as LibreSSL chose not to implement some functions in OpenSSL which can force the use of OpenSSL, at least for some ports. There is no "right" answer to this. ATM, OpenSSL looks like the bast choice to me and that is what I use. Depending on the on-going level of support for the two libraries, this may change, but it will be a problem for the foreseeable future. Ya pays your money and takes yer chances, unless you can bankroll support for one or the other by programmers competent in not only coding, but cryptography. Those folks are few in number and way beyond the budget of most of us. -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683